Assessment MS Office 365 Web & apps: Microsoft promises measures to mitigate 6 high privacy risks

July 9, 2020

On behalf of the Dutch Ministry of Justice and Security, Privacy Company conducted a repeat assessment of the privacy risks of the browser version of Microsoft Office 365, and the Office apps for iOS and android mobile phones. Privacy Company also assessed the privacy risks of Microsoft’s corporate Intune software, which allows system administrators, amongst others, to encrypt information on users' devices.

With the Ministry’s permission, we are publishing two blog posts about our findings. This blog is about the browser version, and the app version of Office 365. The second blog is about Intune.

For questions about the research, please contact SLM Rijk (StrategischLeveranciersmanagement Microsoft Rijk), which can be contacted via the Ministryof Justice’s press spokesperson, +31 (0)70 370 73 45.

Privacy terms Dutch government

In May 2019, SLM Microsoft Rijk concluded new privacy terms with Microsoft for the 300,000 digital workstations of the Dutch government. This concerns the Enterprise versions of the Office software that are used by the ministries, the Tax and Customs Administration, the police, the judiciary, and independent administrative bodies. According to these new privacy terms, Microsoft only acts as a data processor for all its online services, processes personal data for only three well defined and limited purposes, does not process the personal data for profiling, data analytics, market research or advertisements, and grants effective audit rights to the Dutch government.
Three DPIAs (Data Protection Impact Assessments) that Privacy Company conducted for the Dutch government in May and June 2019 showed that Microsoft had remedied the eight previously identified privacy risks for Office 365 ProPlus (the version of Office that you install on desktops, and laptops) through a combination of technical, organisational, and contractual measures. See the earlier blog about these risks.
However, the DPIA on Office for the Web and the mobile Office apps (published 23 July 2019) showed that Microsoft did not yet implement these measures for the browser and app versions of the software. Microsoft mistakenly believed that the new privacy terms negotiated by the State did not apply to all data processing via the mobile Office apps.
In January 2020, Microsoft implemented global improvements of its privacy terms for its online Enterprise and Business services. See the Online Service Terms with separate Data protection Addendum of April and January 2020 respectively. These improvements are inspired by the specific new privacy terms negotiated by the Dutch government. However, the improvements are explicitly not equal to these terms.

What is Office 365?

The Office 365 software can be used in three ways. The software can be installed on the computers and laptops of data subjects (Office 365 ProPlus), installed on smartphones, and tablets (mobile Office apps for iOS and Android), and as online applications that run in a browser (Office for the Web, formerly also called Office Online).
This DPIA concerns the last two versions of the software: Office for the Web and the mobile Office apps. The DPIA identifies the risks of diagnostic data processing via the five most commonly used applications expected: Word, PowerPoint, Outlook, Excel, and Teams in combination with the use of Connected Experiences such as the spell checker, use of the cloud storage services SharePoint Online, and OneDrive for Business connected to Office, the cloud identity service (Azure Active Directory), and the online mail server (Exchange Online).

Microsoft collects the diagnostic data in several ways, via system-generated event logs on its own servers, and via the so-called telemetry client in the mobile Office apps. Like the telemetry client in Windows 10, and Office 365 ProPlus, Microsoft programmed the mobile Office apps, and, more recently, Office for the Web to systematically collect telemetry data on the device, and send it to Microsoft's servers in the US on a regular basis. Microsoft also collects data from the browser via telemetry messages from Office for the Web. Microsoft did not do this in the earlier version of Office for the Web version that was assessed in the previous (public) DPIA.

This DPIA is about the risks for data subjects of the processing of diagnostic data, and not about the content data that users have processed by Microsoft, such as text, photos, and videos. The diagnostic data also differ from the functional data that Microsoft must (temporarily) process to enable data subjects to use Microsoft's online services via the Internet.

Result: six high privacy risks

The outcome of this DPIA is that there are six high, and three low data protection risks for data subjects. These high risks are due to the following seven circumstances:

  1. When using Office for the Web, Microsoft sends personal data to two U.S. companies that are not processors: Optimizely and Giphy. From the mobile Office apps, Microsoft sends traffic to six other companies, four of which are not processors.
  2. Microsoft behaves as an independent controller for the processing of telemetry data regarding the use of the mobile Office apps, and the use of the Controller Connected Experiences. As controller, Microsoft permits itself to process personal data from and about the use of these services for all 17 purposes set out in its general privacy statement.
  3. Some telemetry messages from Office for the Web contain content data, such as file, path, and usernames. It is not clear whether Microsoft is behaving as a processor for these telemetry data.
  4. System administrators are not able to minimise the telemetry level in Office for the Web. Microsoft has not yet made a privacy control for the telemetry level in the Teams, Outlook, and OneDrive mobile apps on iOS and Android;
  5. The new ability to centrally disable the Controller Connected Experiences in Office for the Web and the Mobile Office apps does not yet work in the OneDrive, Outlook, and Teams apps on iOS and Android, nor in the Teams and OneDrive browser versions of Office for the Web.
  6. Microsoft does not publish any information about the telemetry it collects through Office for the Web and the Mobile Office apps. Although Microsoft made the Data Viewer Tool suitable to decode messages from the three mobile Office apps on iOS and Android, namely Word, PowerPoint, and Excel, it does not offer such a tool for the Outlook, Teams, and OneDrive apps.
  7. In response to a GDPR Data Subject Access request from the researchers, Microsoft did not give access to the personal data it processes about the use of the mobile Office apps, the Controller Connected Experiences, and the telemetry of Office for the Web.

Six high, and three low risks

The six high risks are:

  1. Lack of purpose limitation for the diagnostic data of mobile apps and Office for the Web: leads to loss of control over personal data for the data subject, possible re-identification of pseudonymised data, and possible loss of confidentiality.
  2. Lack of transparency on diagnostic data Office for the Web, mobile apps, Connected Experiences, and connected cloud services: leads to loss of control, possible loss of confidentiality, and impossibility to exercise your rights as a data subject.
  3. No control over telemetry level Office for the Web, and in the mobile Outlook, Teams, and OneDrive apps: leads to loss of control, possible re-identification of pseudonymised data, and possible loss of confidentiality.
  4. Transfer of personal data from Office for the Web to third parties: leads to loss of control, possible re-identification of pseudonymised data, and possible loss of confidentiality.
  5. Transfer of personal data from mobile apps to third parties: leads to loss of control, possible re-identification of pseudonymised data, and possible loss of confidentiality.
  6. No access for data subjects to the personal data that Microsoft processes about them as a data controller: leads to the impossibility of exercising your rights as a data subject.

The three low risks are:

  1. Chilling effect on employees if they fear being continuously monitored by their employer through the software: leads to limitations in the exercise of their fundamental rights;
  2. Long retention period of 18 months for the diagnostic data, and no individual deletion possibility: leads to limitation of the right to have excessive data deleted;
  3. Transfer of a limited amount of diagnostic data to a US processor: in the case of silent disclosures to law enforcement authorities, secret services or intelligence agencies this leads to loss of control, possible re-identification of pseudonymised data, and loss of confidentiality.

Mitigating measures Microsoft

SLM Microsoft Rijk provided Microsoft with the DPIA findings upon completion of this DPIA. The discussions between SLM Microsoft Rijk and Microsoft resulted in a set of measures that, upon successful implementation by Microsoft, result in the mitigation of high risks identified in the DPIA, if government organisations follow the recommendations set out in the DPIA report.

In sum, Microsoft’s technical and organisational measures will mitigate all identified 6 high risks.

Recommended measures for government organisations

  1. Turn off the Controller Connected Experiences.
  2. Set the telemetry level of the mobile Office apps to the lowest level.
  3. Administrators must regularly use the Data Viewer Tool to view the telemetry sent from the mobile Office apps.
  4. Disclose and enforce retention policy / clean up outdated data due to risks of transfer to the US.
  5. Retest new versions of the mobile Office apps / recommend users to install the latest versions as soon as the privacy risks have been mitigated.
  6. When using the Connected Cloud Services, establish policies to prevent file names and file paths from containing personal data.
  7. Inform employees about the access possibilities via DSR and audit logs.

What can companies do that if they want to use the Enterprise version of Office 365?

Companies and organisations outside the Dutch government have to take into account high(er) privacy risks when using Office 365 ProPlus, Office for the Web, and the mobile Office apps. They should turn to Microsoft, preferably through an industry organisation, to negotiate similar privacy guarantees as the Dutch government. Irrespective of that, organisations could also conduct their own DPIA, based on the reports of the government, and submit the residual risks to the Data Protection Authority, as referred to in Article 36 of the GDPR.

The how, and why of these recommendations are explained in the new DPIA report for SLM Microsoft Rijk. Also see the second new DPIA report on data processing via Intune.